Katalog
العربية
Sign up

Privacy policy

How we handle your data.

Last updated: 2026-04-18

This policy explains what personal data Katalog handles, why we handle it, and what you can do about it. We try to keep this short and readable. If anything is unclear, email hello@katalog.tools.

Who's who

  • Sellers (people who sign up for a Katalog account to run a storefront): Katalog is the data controller for your account data.
  • Buyers(people who place orders through a seller's storefront): the seller is the data controller for the buyer's order data. Katalog acts as the processor on the seller's behalf, storing and displaying it so the seller can fulfil the order.

What we collect

From sellers (account holders):

  • Account email and name, plus whatever you put into your storefront profile (business name, bio, avatar, WhatsApp number, etc.).
  • Your storefront content: products, descriptions, prices, images, categories.
  • Orders and buyer contacts buyers submit when checking out through your storefront.
  • Login metadata (IP address, device / browser, timestamps) for security and abuse prevention.
  • Usage telemetry — page views, feature usage, basic interaction events — if and when an analytics provider is wired up (see the Cookie Policy for the current status).

From buyers (when you submit an order on a Katalog storefront):

  • Your name and phone number (required so the seller can contact you).
  • Your email, if you choose to provide one.
  • Order contents: items, quantities, notes you add.
  • Basic request metadata (IP, timestamp).

We don't ask for buyer payment details because Katalog doesn't process payments. Payment happens directly between you and the seller, outside Katalog.

Why we use this data

  • To provide, maintain, and improve the service.
  • To send transactional emails — account confirmation, password reset, order notifications to sellers, receipts where relevant.
  • To keep the platform safe: detecting fraud, abuse, and automated attacks.
  • To respond to your support requests and communicate about the service.
  • To comply with legal obligations (tax, accounting, law enforcement requests we're legally required to act on).

We do not sell your data. We do not use it for ad-targeting. We don't share it with third parties except the service providers below.

Who we share it with

  • Supabase — database and authentication infrastructure. Seller and buyer data sits here.
  • Vercel — hosting and content delivery. Serves your storefront pages to visitors.
  • Resend — transactional email delivery (once configured). Handles the signup, reset, and order emails.
  • Error monitoring (e.g. Sentry or Baselime, once configured) — receives crash reports and error logs. We scrub personal data from these where we can.

We only share what each provider needs to do its job. We review their data-protection posture before wiring them in. If we add new processors we'll update this list.

Cookies

We use a small number of cookies, almost all of which are essential for keeping you signed in. See the Cookie Policy for details.

Where your data lives

Your data is stored in a Supabase-managed region (check hello@katalog.toolsfor the current region — we'll confirm on request). Transfers between regions (for example, if Vercel serves you a page from a different edge location) are covered by standard contractual clauses Supabase and Vercel have in place with their sub-processors.

Your rights

Regardless of where you live, you can:

  • Accessyour data. Sellers can view their data in the dashboard; buyers can request a copy by emailing the seller whose storefront took their order, or us if the seller can't help.
  • Export your data. Sellers have a download-my-data option in account settings that exports account + storefront + order data.
  • Correct your data — sellers via the dashboard, buyers via the seller who took their order.
  • Deleteyour account and everything attached to it. Sellers can do this from account settings. Buyers can request deletion from the seller; if the seller doesn't respond within 30 days, email us and we'll help.
  • Object to specific processing, or withdraw consentwhere we relied on consent. If you're in the EU / UK you also have the right to lodge a complaint with your local data-protection authority.

Data retention

  • Account data stays while your account is active. When you delete it, we purge it from the live database, and it rolls off encrypted backups within 90 days.
  • Order records may be retained longer if the seller's local accounting or tax rules require it (in Egypt, for example, typical retention is 5 years). Sellers decide and communicate this to their buyers.
  • Security logs: kept for up to 12 months for fraud and abuse investigations.

Children

Katalog isn't for people under 13 (or under 16 in the EU). We don't knowingly collect personal data from children in that age range. If you think a child has created an account or submitted buyer data, email hello@katalog.toolsand we'll take it down.

Security

We use industry-standard practices: data encrypted in transit (HTTPS) and at rest, row-level security in our database, least-privilege access for our team, and MFA on critical accounts. No system is bulletproof — if something happens, we'll tell affected users without undue delay.

Changes to this policy

We'll update this policy as Katalog evolves. Material changes get a heads-up by email at least 14 days before taking effect.

Contact

Questions, data requests, or complaints: hello@katalog.tools.